Author: aakanksha_writer
Date: 2012-12-12 09:59:10 -0500 (Wed, 12 Dec 2012)
New Revision: 8996
Modified:
epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml
epp/docs/branches/6.0/Reference_Guide/en-US/modules/WSRP.xml
Log:
bug 856432 resolved
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml
===================================================================
--- epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2012-12-12 06:55:47
UTC (rev 8995)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/Revision_History.xml 2012-12-12 14:59:10
UTC (rev 8996)
@@ -8,6 +8,21 @@
<simpara>
<revhistory>
<revision>
+ <revnumber>6.0.0-19</revnumber>
+ <date>Mon Dec 12 2012</date>
+ <author>
+ <firstname>Aakanksha</firstname>
+ <surname>Singh</surname>
+ <email/>
+ </author>
+ <revdescription>
+ <simplelist>
+ <member>BZ#856432 - Added WSRP content related to CXF and WS-Security
from
https://docs.jboss.org/author/display/GTNPORTAL35/Securing+WSRP</membe...
+ </simplelist>
+ </revdescription>
+ </revision>
+
+ <revision>
<revnumber>6.0.0-18</revnumber>
<date>Mon Dec 11 2012</date>
<author>
Modified: epp/docs/branches/6.0/Reference_Guide/en-US/modules/WSRP.xml
===================================================================
--- epp/docs/branches/6.0/Reference_Guide/en-US/modules/WSRP.xml 2012-12-12 06:55:47 UTC
(rev 8995)
+++ epp/docs/branches/6.0/Reference_Guide/en-US/modules/WSRP.xml 2012-12-12 14:59:10 UTC
(rev 8996)
@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!-- This document was created with Syntext Serna Free. --><!DOCTYPE chapter
PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "../Reference_Guide.ent">
%BOOK_ENTITIES;
]>
@@ -159,15 +159,11 @@
<para>
Of course, if you have modified the host name and port on which your server
runs, you will
need to
- update the configuration for the consumer used to consume JBoss Portal
Platform's 'self' producer. Please refer to
- the
- <xref linkend="consumer_configuration"/>
- to learn how to do so.
- </para>
+ update the configuration for the consumer used to consume JBoss Portal
Platform's 'self' producer. </para>
</section>
</section>
<section>
- <title>Securing WSRP</title>
+ <title><remark>BZ#856432</remark>Securing WSRP</title>
<section>
<title>Considerations to use WSRP with SSL</title>
<para>
@@ -213,36 +209,91 @@
<section id="wss_configuration">
<title><remark>BZ#839355</remark>WS-Security
Configuration</title>
<para>
-JBoss Portal Platform uses JBossWS Native to handle ws-security (refer to the
<citetitle>Web Services</citetitle> section of the
-<citetitle>JBoss Enterprise Application Platform 5 Administration and Configuration
Guide</citetitle>. Note that since the consumer passes its credentials to the
producer, the consumer acts as the wss client and the producer acts as the wss server.
+JBoss Portal Platform uses JBossWS CXF instead of the JBossWS Native to handle
ws-security. Due to these changes, the configuration for WS-Security with JBoss Portal
Platform on JBoss Enterprise Application Platform is changed. </para>
+ <note>
+ <para>We only support one ws-security configuration option for the
producer. All consumers accessing the producer will have to conform to this security
constraint. This means if the producer requires encryption, all consumers will be required
to encrypt their messages when accessing the producer.
+</para>
+ <para>
+We only support one ws-security configuration option to be used by all the consumers. A
consumer has the option to enable or disable ws-security, which allows for one or more
consumers to use ws-security while the others do not.</para>
+ </note>
+ <para>Note that since the consumer passes its credentials to the producer,
the consumer acts as the wss client and the producer acts as the wss server.
</para>
- <para> The following are the JBossWS Native configuration files which need
to be configure for WSRP:
- </para>
+ <para>CXF uses interceptors to extend and configure its behaviour. There
are two main types of interceptors: inInterceptors and outInterceptors. </para>
+ <para>InInterceptors are invoked for communication coming into the client
or server, while outInterceptors are invoked when the client or server sends a message.
+
+So for the WSRP, the communication from the consumer to the producer is governed by the
consumer's OutInterceptor and the producer's InIntereceptor.
</para>
+ <para>The communication from the producer to the consumer is governed by
the producer's OutInterceptor and the consumer's InInterceptor. This
means having to configure four Interceptors.</para>
+ <para>Important points to be considered while dealing with
WS-Security</para>
<itemizedlist>
<listitem>
- <para>JBossWS
- configuration file for the consumer.
- </para>
- <para>
-
<filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE/</replaceable>conf/gatein/gatein-wsse-consumer.xml</filename></para>
+ <para>In case of user propagation, only the consumer sends the user
credentials to the producer. So Username Tokens only need to be configured for the
consumer's OutInterceptor and the producer's
InInterceptor.</para>
+ <para>For encryption, you will most likely want to encrypt the message
from the consumer to the producer and also the message from the producer to the consumer.
This means that encryption properties must be configured for all four
interceptors.</para>
</listitem>
- <listitem>
- <para>JBossWS configuration file for the producer.
- </para>
- <para>
-
<filename><replaceable>JPP_DIST</replaceable>/jboss-as/server/<replaceable>PROFILE</replaceable>/conf/gatein/gatein-wsse-producer.xml
</filename></para>
- </listitem>
</itemizedlist>
+ <para>For more details on types of interceptors refer</para>
+ <para><ulink
url="http://cxf.apache.org/docs/interceptors.html"/></par...
+ <para>To support ws-security, JBoss Portal Platform uses CXF's
WSS4J Interceptors which handle all ws-security related tasks, for more details on CXF
documentation refer</para>
+ <para><ulink
url="http://cxf.apache.org/docs/ws-security.html"/></para...
</section>
<section>
- <title>WS-Security Producer Configuration</title>
- <para>
- Other than the JBossWS configuration file mention above, no other
configuration changes should be necessary
- for the producer.
- </para>
+ <title>WSS4J Interceptors and WSRP</title>
+ <para>The WSS4J Interceptors are configured using using simple property
files.
+
+WSRP looks for specific property files to know whether or not in/out interceptors must be
added and configured for either consumers or producer. </para>
+ <para>Theses files are located in the
standalone/configuration/jpp/wsrp/cxf/ws-security directory of your the JBoss Enterprise
Application Server 6 home directory. </para>
+ <para>Consumer-specific files are in the consumer subdirectory while
producer-specific files should be located in the producer subdirectory. To add and
configure a WSS4J interceptor, you just need to add the proper configuration file in the
proper directory. If no configuration file is found for a specific interceptor type, then
no such interceptor will be added. </para>
+ <para>"In" interceptors are configured using
WSS4JInInterceptor.properties files while "out" interceptors are
configured using WSS4JOutInterceptor.properties files.
+</para>
+ <table frame="all">
+ <title>Files needed to configure interceptor for WSRP</title>
+ <tgroup cols="3" align="justify">
+ <colspec colnum="1" colname="c1"
colwidth="100"/>
+ <colspec colnum="2" colname="c2"
colwidth="150"/>
+ <colspec colnum="3" colname="c3"
colwidth="400"/>
+ <thead>
+ <row>
+ <entry>Side</entry>
+ <entry>Interceptor Type</entry>
+ <entry>Configuration File</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>Consumer</entry>
+ <entry>IN</entry>
+
<entry>standalone/configuration/gatein/wsrp/cxf/ws-security/consumer/WSS4JInInterceptor.properties</entry>
+ </row>
+ <row>
+ <entry/>
+ <entry>OUT</entry>
+
<entry>standalone/configuration/gatein/wsrp/cxf/ws-security/consumer/WSS4JOutInterceptor.properties
</entry>
+ </row>
+ <row>
+ <entry>Producer</entry>
+ <entry>IN</entry>
+
<entry>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/WSS4JInInterceptor.properties
</entry>
+ </row>
+ <row>
+ <entry/>
+ <entry>OUT</entry>
+
<entry>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/WSS4JOutInterceptor.properties
</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <para>Please refer to the CXF or WSS4J documentation for instructions and
options available for each type of interceptors.</para>
+ <section>
+ <title>User Propagation</title>
+ <para>User propagation can be configured to be used over WSRP with
ws-security. What this means is that a user logged into a consumer can have their
credentials propagated over to the producer. This allows the producer to authenticate the
user and any portlet on the producer (a remote portlet from the consumer's
perspective) will view the user as being properly authenticated. This allows for remote
portlets to access things like user information.</para>
+ <para><note>
+ <para>This only works if the user's credentials on the
producer and consumer are the same. This may require using a common authentication
mechanism, such as LDAP.</para>
+ <para>This requires some special options when configuring the
producer and server.</para>
+ </note></para>
+ </section>
</section>
<section>
<title><remark>BZ#839355</remark>WS-Security Consumer
Configuration</title>
+ <para>To configure ws-security on the consumer side, configure the
WSS4JInInterceptor and/or WSS4JOutInterceptor.</para>
<para>In the WSRP Configuration portlet <guilabel>Consumers
Configuration</guilabel> options, check the 'Enable WS Security'
checkbox if you want credentials to be sent to the producer.
</para>
<note>
@@ -253,7 +304,465 @@
<imagedata align="center" valign="middle"
scalefit="1" fileref="images/WSRP/config_wss_selected.png"
format="PNG"/>
</imageobject>
</mediaobject>
+ <section>
+ <title>Special JBoss Portal Platform Configuration Options for User
Propagation</title>
+ <para>In order to handle user propagation in GateIn Portal across
ws-security, a couple of special configuration options have been created which should be
applied to the consumer's WSS4JOutInterceptor.</para>
+ <section>
+ <title>Custom 'user' option</title>
+ <para><informalexample>
+ <programlisting>user=gtn.current.user</programlisting>
+ <para>This option sets the 'user' property to the
currently authenticated user on the consumer.</para>
+ </informalexample></para>
+ </section>
+ <section>
+ <title>Custom 'action' option</title>
+ <para><informalexample>
+
<programlisting>action=gtn.UsernameToken.ifCurrentUserAuthenticated</programlisting>
+ <para>If a user is currently authenticated, it will replace the
'gtn.UsernameToken.ifCurrentUserAuthenticated' with
'UsernameToken'. If the current user is an unauthenticated user,
'gtn.UsernameToken.ifCurrentUserAuthenticated' will be removed from the
action list. If no other actions are specified, then the WSS4J interceptor will not be
added to the consumer. This allows you to only use ws-security when dealing with
authenticated users, and not for anonymous users.</para>
+ </informalexample><note>
+ <para>This requires that the user option is set to
'gtn.current.user'</para>
+ </note></para>
+ </section>
+ <section>
+ <title>Custom PasswordCallbackClass</title>
+ <para>To set the password for the username token, we need to specify
the password in a callback class. See the cxf ws-security documentation for more details
<ulink
url="http://cxf.apache.org/docs/ws-security.html"/></para...
+ <para>A special callback class has already been created which handles
this for you: CurrentUserPasswordCallback. This class will retrieve the currently
authenticated user's password and set this as the password in the callback
object.</para>
+ <para><informalexample>
+
<programlisting>passwordCallbackClass=org.gatein.wsrp.wss.cxf.consumer.CurrentUserPasswordCallback</programlisting>
+ </informalexample></para>
+ </section>
+ </section>
</section>
+ <section>
+ <title>WS-Security Producer Configuration</title>
+ <para>
+The configuration of the producer is similar to that of the consumer. It also requires
having to configure the WSS4JInInterceptor and/or WSS4JOutInterceptor.
+ </para>
+ <section>
+ <title>Special GateIn Portal Configuration Options for User
Propagation</title>
+ <para>
+ To properly propagate user information on the producer-side, you will need to
use GTNSubjectCreatingInterceptor instead of a regular WSS4JInInterceptor. This GateIn
Portal specific "in" interceptor is an extension of the traditional
WSS4JInInterceptor and therefore can be configured similarly and accept the same
configuration properties. To specify that you want to use the
GTNSubjectCreatingInterceptor, please create a property file at
+
<code>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/GTNSubjectCreatingInterceptor.properties</code>
+ instead of the regular WSS4JInInterceptor.properties file.
+ </para>
+ <para>This Interceptor will handle the ws-security headers and retrieve
the users credentials. It will then use these credentials to perform a login on the
producer site, thus authenticating the user on the producer and makes the user available
to remote portlets.</para>
+ <note>
+ <para>This class also extends
org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingInterceptor and can accept
the same properties this class normally accepts. See the JBossWS documentation for options
and more information.</para>
+ </note>
+ </section>
+ <section>
+ <title>Custom 'action' option</title>
+ <informalexample>
+
<programlisting>action=gtn.UsernameToken.ifAvailable</programlisting>
+ </informalexample>
+ <para>When this option is activated, the interceptor will set the action
to 'UsernameToken' when the received SOAP message contains ws-security
headers. If no ws-security header is included in the message, then no action is taken and
the interceptor is not run. This is useful for dealing with authenticated and
unauthentcated users trying to access the producer.</para>
+ </section>
+ </section>
+ <section>
+ <title>Sample Configuration using the UsernameToken and User
Propagation</title>
+ <warning>
+ <para>This example configuration does not encrypt the message. This means
the username and password will be sent between the producer and consumer in plain text.
This is a security concern and is only being shown as a simple example. It is up to
administrators to properly configure the WSS4J Interceptors to encrypt messages or to only
use https communication between the producer and consumer.</para>
+ </warning>
+ <section>
+ <title>Producer Setup</title>
+ <orderedlist>
+ <listitem>
+ <para>
+ create the following file:
+
<code>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/GTNSubjectCreatingInterceptor.properties</code>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ set the content of
+ <code>GTNSubjectCreatingInterceptor.properties</code>
+ created in step 1 to:
+ </para>
+ <informalexample>
+
<programlisting>action=gtn.UsernameToken.ifAvailable</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>start the producer server</para>
+ </listitem>
+ </orderedlist>
+ <section>
+ <title>Sample Configuration Securing the Endpoints using Encryption and
Signing</title>
+ <para>The following steps outline how to configure the producer and
consumer to encrypt and sign SOAP messages passed between the producer and consumer. This
example only deals with SOAP messages being sent between the producer and consumer, and
not with user propagation.</para>
+ <note>
+ <para>
+ Some of the configuration options specified here are based on the content at
+ <ulink
url="http://cxf.apache.org/docs/ws-security.html"/>
+ and
+ <ulink
url="http://www.jroller.com/gmazza/entry/cxf_x509_profile"/>
+ More information may be available at these sites.
+ </para>
+ </note>
+ </section>
+ </section>
+ <section>
+ <title>Consumer Setup</title>
+ <orderedlist>
+ <listitem>
+ <para>
+ create the following file:
+
<code>standalone/configuration/gatein/wsrp/cxf/ws-security/consumer/WSS4JOutInterceptor.properties</code>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ set the content of the
+ <code>WSS4JOutInterceptor.properties</code>
+ created in step 1 to:
+ </para>
+ <informalexample>
+ <programlisting>passwordType=PasswordText
+user=gtn.current.user
+action=gtn.UsernameToken.ifCurrentUserAuthenticated
+passwordCallbackClass=org.gatein.wsrp.wss.cxf.consumer.CurrentUserPasswordCallback</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>start the consumer server</para>
+ </listitem>
+ <listitem>
+ <para>in the WSRP admin portlet, click the 'enable
ws-security' checkbox</para>
+ </listitem>
+ <listitem>
+ <para>access a remote portlet (for example, the user identity portlet
included as an example portlet in GateIn Portal) and verify that the authenticated user is
the same as the one on the consumer</para>
+ </listitem>
+ </orderedlist>
+ </section>
+ </section>
+ <section>
+ <title>Sample Configuration Securing the Endpoints using Encryption and
Signing</title>
+ <para>The following steps outline how to configure the producer and
consumer to encrypt and sign SOAP messages passed between the producer and consumer. This
example only deals with SOAP messages being sent between the producer and consumer, and
not with user propagation.</para>
+ <note>
+ <para>
+ Some of the configuration options specified here are based on the content at
+ <ulink
url="http://cxf.apache.org/docs/ws-security.html"/>
+ and
+ <ulink
url="http://www.jroller.com/gmazza/entry/cxf_x509_profile"/>
+ More information may be available at these sites.
+ </para>
+ </note>
+ <section>
+ <title>Password Callback Class</title>
+ <para>WSS4J uses a Java class to specify the password when performing any
security related actions. For the purpose of these encryption and signing examples, we
will use the same password for the producer's and consumer's keystore
(wsrpAliasPassword). This simplifies things a bit as it means we can use just one password
callback class for both the producer and consumer.</para>
+ <para>
+ Example
+ <code>test.TestCallbackHandler</code>
+ class:
+ </para>
+ <informalexample>
+ <programlisting>package test;
+ 
+import java.io.IOException;
+ 
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+ 
+import org.apache.ws.security.WSPasswordCallback;
+import org.gatein.wsrp.wss.cxf.consumer.CurrentUserPasswordCallback;
+ 
+public class TestCallbackHandler implements CallbackHandler
+{
+ 
+    @Override
+    public void handle(Callback[] callbacks) throws
IOException,
+           
UnsupportedCallbackException
+    {
+ 
+        //First check if
we have any user name token call backs to add.
+        //NOTE: only
needed if using username tokens, and you want the currently authenticated users password
added
+       
CurrentUserPasswordCallback currentUserPasswordCallback = new
CurrentUserPasswordCallback();
+       
currentUserPasswordCallback.handle(callbacks);
+ 
+        for (Callback
callback: callbacks)
+        {
+           
if (callback instanceof WSPasswordCallback)
+           
{
+               
WSPasswordCallback wsPWCallback = (WSPasswordCallback)callback;
+               
// since the CurrentUserPasswordCallback already handles the USERNAME_TOKEN case, we
don't want to set it in this case
+               
if (wsPWCallback.getUsage() != WSPasswordCallback.USERNAME_TOKEN)
+               
{
+                   
wsPWCallback.setPassword("wsrpAliasPassword");
+               
}
+           
}
+        }
+    }
+}</programlisting>
+ </informalexample>
+ <note>
+ <para>
+ CallbackHandler implementations are provided to GateIn Portal using the
standard Java
+ <ulink
url="http://docs.oracle.com/javase/6/docs/api/java/util/ServiceLoade...
+ infrastructure. As such, CallbackHandler implementations need to be bundled
in a jar containing a file
+
<code>META-INF/services/javax.security.auth.callback.CallbackHandler</code>
+ specifying the fully qualified name of the CallbackHandler implementation
class. This jar then needs to be put in the
+ <code>gatein/extensions</code>
+ directory of your GateIn Portal installation.
+ </para>
+ </note>
+ <para>
+ You can see a working example of a CallbackHandler implentation at
+ <ulink
url="https://github.com/gatein/gatein-wsrp/tree/master/examples/wss-...
+ </para>
+ </section>
+ <section>
+ <title>Configuring the Keystores</title>
+ <note>
+ <para>In this example we are making it a bit easier by specifying the
same keystore password for both the producer and consumer, as they can use the same
password callback class.</para>
+ </note>
+ <orderedlist>
+ <listitem>
+ <para>Generate the producer's private encryption
keys</para>
+ <informalexample>
+ <programlisting>keytool -genkey -alias producerAlias -keypass
wsrpAliasPassword -keystore producer.jks -storepass keyStorePassword -dname
"cn=producerAlias" -keyalg RSA</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>Export the producer's public key</para>
+ <informalexample>
+ <programlisting>keytool -export -alias producerAlias -file
producerkey.rsa -keystore producer.jks -storepass keyStorePassword</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>Generate the consumer's private encryption
keys</para>
+ <informalexample>
+ <programlisting>keytool -genkey -alias consumerAlias -keypass
wsrpAliasPassword -keystore consumer.jks -storepass keyStorePassword -dname
"cn=consumerAlias" -keyalg RSA</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>Export the consumer's public key</para>
+ <informalexample>
+ <programlisting>keytool -export -alias consumerAlias -file
consumerkey.rsa -keystore consumer.jks -storepass keyStorePassword</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>Import the consumer's public key into the
producer's keystore</para>
+ <informalexample>
+ <programlisting>keytool -import -alias consumerAlias 
-file consumerkey.rsa -keystore producer.jks -storepass keyStorePassword
-noprompt</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>Import the producer's public key into the
consumer's keystore</para>
+ <informalexample>
+ <programlisting>keytool -import -alias producerAlias 
-file producerkey.rsa -keystore consumer.jks -storepass keyStorePassword
-noprompt</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>
+ Copy the
+ <code>producer.jks</code>
+ file to the
+
<code>standalone/configuration/gatein/wsrp/cxf/ws-security/producer</code>
+ directory on the producer
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Copy the
+ <code>consumer.jks</code>
+ file to the
+
<code>standalone/configuration/gatein/wsrp/cxf/ws-security/consumer</code>
+ directory on the consumer
+ </para>
+ </listitem>
+ </orderedlist>
+ </section>
+ <section>
+ <title>Configuring the Producer</title>
+ <orderedlist>
+ <listitem>
+ <para>
+ Create
+
<code>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/WSS4JInInterceptor.properties</code>
+ with the following content. This will configure the incoming message
between the producer and the consumer
+ </para>
+ <informalexample>
+ <programlisting>action=Signature Encrypt Timestamp
+signaturePropFile=producer-security.properties
+decryptionPropFile=producer-security.properties
+passwordCallbackClass=test.TestCallbackHandler</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>
+ Create
+
<code>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/WSS4JOutInterceptor.properties</code>
+ with the following content. This will configure the outgoing message
between the producer and the consumer
+ </para>
+ <informalexample>
+ <programlisting>action=Signature Encrypt Timestamp
+signaturePropFile=producer-security.properties
+encryptionPropFile=producer-security.properties
+passwordCallbackClass=test.TestCallbackHandler
+user=producerAlias
+encryptionUser=consumerAlias
+signatureUser=producerAlias</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>
+ Create
+
<code>standalone/configuration/gatein/wsrp/cxf/ws-security/producer/producer-security.properties</code>
+ with the following content:
+ </para>
+ <informalexample>
+
<programlisting>org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=keyStorePassword
+org.apache.ws.security.crypto.merlin.file=producer.jks</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>
+ The
+ <code>passwordCallbackClass</code>
+ property in these configuration files needs to match the fully qualified
name of your CallbackHandler implementation class. In our case, it is
+ <code>test.TestCallbackHandler</code>
+ .
+ </para>
+ </listitem>
+ </orderedlist>
+ </section>
+ <section>
+ <title>Configuring the Consumer</title>
+ <orderedlist>
+ <listitem>
+ <para>
+ Create standalone/
+
<code>configuration/gatein/wsrp/cxf/ws-security/consumer/WSS4JOutInterceptor.properties</code>
+ with the following content. This will configure the outgoing message
between the consumer and the producer
+ </para>
+ <informalexample>
+ <programlisting>action=Signature Encrypt Timestamp
+signaturePropFile=consumer-security.properties
+encryptionPropFile=consumer-security.properties
+passwordCallbackClass=test.TestCallbackHandler
+user=consumerAlias
+encryptionUser=producerAlias
+signatureUser=consumerAlias</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>
+ Create standalone/
+
<code>configuration/gatein/wsrp/cxf/ws-security/consumer/WSS4JInInterceptor.properties</code>
+ with the following content. This will configure the incoming message
between the consumer and the producer
+ </para>
+ <informalexample>
+ <programlisting>action=Signature Encrypt Timestamp
+signaturePropFile=consumer-security.properties
+decryptionPropFile=consumer-security.properties
+passwordCallbackClass=test.TestCallbackHandler</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>Create
standalone/configuration/gatein/wsrp/cxf/ws-security/consumer/consumer-security.properties
with the following content:</para>
+ <informalexample>
+
<programlisting>org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=keyStorePassword
+org.apache.ws.security.crypto.merlin.file=consumer.jks</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>
+ The
+ <code>passwordCallbackClass</code>
+ property in these configuration files needs to match the fully qualified
name of your CallbackHandler implementation class. In our case, it is
+ <code>test.TestCallbackHandler</code>
+ .
+ </para>
+ </listitem>
+ </orderedlist>
+ </section>
+ </section>
+ <section>
+ <title>Sample Configuration using UsernameToken, Encryption and Signing
with User Propagation</title>
+ <para>The following setps outline how to configure the producer and
consumer to encrypt and sign the soap message as well as use user propagation between the
producer and consumer.</para>
+ <section>
+ <title>Configure the Producer</title>
+ <para>
+ Follow the steps outlined in the
+ Sample Configuration Securing the Endpoints using Encryption and Signing
+ section but make the following changes:
+ </para>
+ <orderedlist>
+ <listitem>
+ <para>
+ rename the
+ <code>WSS4JInInterceptor.properties</code>
+ file to
+ <code>GTNSubjectCreatingInterceptor.properties</code>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ set the action property in
+ <code>GTNSubjectCreatingInterceptor.properties</code>
+ as:
+ </para>
+ <informalexample>
+ <programlisting>action= gtn.UsernameToken.ifAvailable Signature
Encrypt Timestamp</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>
+ set the passwordType in
+ <code>GTNSubjectCreatingInterceptor.properties</code>
+ as:
+ </para>
+ <informalexample>
+ <programlisting>passwordType=PasswordText</programlisting>
+ </informalexample>
+ </listitem>
+ </orderedlist>
+ </section>
+ <section id="sid-54264620_SecuringWSRP-ConfiguretheConsumer">
+ <title>Configure the Consumer</title>
+ <para>
+ Follow the steps outlined in the
+ Sample Configuration Securing the Endpoints using Encryption and Signing
+ section but make the following changes:
+ </para>
+ <orderedlist>
+ <listitem>
+ <para>
+ set the action property in
+ <code>WSS4JOutInterceptor.properties</code>
+ as:
+ </para>
+ <informalexample>
+ <programlisting>action=gtn.UsernameToken.ifCurrentUserAuthenticated
Signature Encrypt Timestamp</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>
+ set the user in the
+ <code>WSS4JOutInterceptor.properties</code>
+ as:
+ </para>
+ <informalexample>
+ <programlisting>user=gtn.current.user</programlisting>
+ </informalexample>
+ </listitem>
+ <listitem>
+ <para>
+ set the passwordType in the
+ <code>WSS4JOutInterceptor.properties</code>
+ as:
+ </para>
+ <informalexample>
+ <programlisting>passwordType=PasswordText</programlisting>
+ </informalexample>
+ </listitem>
+ </orderedlist>
+ </section>
+ </section>
</section>
</section>
<section>
@@ -372,7 +881,7 @@
<para>WSRP Producers vary a lot as far as how they are configured. Most of them
require that you specify
the URL for the Producer's WSDL definition. Please refer to the remote
producer's documentation for specific
instructions. For instructions on how to do so in JBoss Portal Platform, please
refer to
- <xref linkend="consumer_configuration"/>.
+ Consumer Configuration.
</para>
<para>
JBoss Portal Platform's Producer is automatically set up when you deploy a
portal instance with the WSRP service.
@@ -385,7 +894,7 @@
and the default port is 8080.
</para>
</section>
- <section id="consumer_configuration">
+ <section>
<title>Consuming remote WSRP portlets in JBoss Portal Platform</title>
<section>
<title>Overview</title>
@@ -400,7 +909,7 @@
Application Registry to be added to categories and then to pages.
</para>
</section>
- <section id="consumer_gui">
+ <section>
<title>Configuring a remote producer using the configuration
portlet</title>
<para>
This section will cover the steps of defining access to a remote producer
using the configuration portlet so that its portlets can be
@@ -524,7 +1033,7 @@
</mediaobject>
</para>
</section>
- <section id="consumer_xml">
+ <section>
<title>Configuring access to remote producers via XML</title>
<para>While it is recommended you use the WSRP Configuration portlet to
configure Consumers, the component provides an
alternative way to configure consumers by adding an XML file called
@@ -655,7 +1164,7 @@
<para>
This file contains the default configuration and you should not need
to edit it. If you want to make
modifications to it, it is recommended that you follow the procedure
detailed in
- <xref linkend="consumer_gui"/>.
+consumer_gui .
</para>
</note>
</para>